{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/crowdstrike-fdr/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike FDR"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","lateral-movement","persistence","registry-modification"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe LocalAccountTokenFilterPolicy is a Windows registry setting that, when enabled (set to 1), allows remote connections from local members of the Administrators group to be granted full high-integrity tokens during negotiation. This bypasses User Account Control (UAC) restrictions, allowing for elevated privileges remotely. Attackers may modify this registry setting to facilitate lateral movement within a network. This rule detects modifications to this specific registry setting, alerting on potential unauthorized changes that could lead to defense evasion and privilege escalation. The modification of this policy has been observed being leveraged in conjunction with pass-the-hash attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system through an exploit, such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains local administrator credentials on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the LocalAccountTokenFilterPolicy registry key to a value of 1. This is done to allow remote connections from local administrator accounts to receive high-integrity tokens. The registry key is typically located at \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a \u0026ldquo;pass the hash\u0026rdquo; attack (T1550.002) using the compromised local administrator credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems within the network using the \u0026ldquo;pass the hash\u0026rdquo; technique and the modified LocalAccountTokenFilterPolicy.\u003c/li\u003e\n\u003cli\u003eDue to the LocalAccountTokenFilterPolicy being enabled, the remote connection from the local administrator account receives a full high-integrity token.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses UAC on the remote system, gaining elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities on the remote system, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the LocalAccountTokenFilterPolicy allows attackers to bypass User Account Control (UAC) and gain elevated privileges on remote systems, potentially leading to unauthorized access to sensitive data, lateral movement across the network, and the deployment of ransomware. The overall impact can include data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eLocal Account TokenFilter Policy Enabled\u003c/code\u003e to your SIEM and tune for your environment to detect unauthorized modifications to the LocalAccountTokenFilterPolicy registry key.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture modifications to the registry, which is required for the \u003ccode\u003eLocal Account TokenFilter Policy Enabled\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview the processes excluded in the rule query and ensure they are legitimate and necessary to prevent false positives.\u003c/li\u003e\n\u003cli\u003eMonitor registry events for changes to the \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy\u003c/code\u003e path, specifically looking for changes to the value data.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-01-02-local-account-token-filter-policy-disabled/","summary":"Adversaries may modify the LocalAccountTokenFilterPolicy registry key to bypass User Account Control (UAC) and gain elevated privileges remotely by granting high-integrity tokens to remote connections from local administrators, facilitating lateral movement and defense evasion.","title":"Local Account TokenFilter Policy Modification for Defense Evasion and Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-01-02-local-account-token-filter-policy-disabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Defend","Windows Defender Application Control","Crowdstrike FDR","Sysmon"],"_cs_severities":["high"],"_cs_tags":["wdac","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers are increasingly targeting Windows Defender Application Control (WDAC) to disable or weaken endpoint defenses. By crafting malicious WDAC policies, adversaries can block legitimate security software and evade detection. This technique involves creating WDAC policy files (.p7b or .cip) in protected system directories using unauthorized processes. The activity often occurs when attackers have already gained a foothold in the system and are attempting to solidify their position. Successful deployment of a malicious WDAC policy can significantly hinder incident response and allow malware to operate undetected. This tactic has gained traction since late 2024, with offensive tools like Krueger demonstrating the potential for weaponizing WDAC against EDR solutions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the system through methods such as phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker escalates privileges to gain administrative access, which is required to modify WDAC policies.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Creation:\u003c/strong\u003e The attacker crafts a malicious WDAC policy using tools or scripts. This policy is designed to block specific security products or processes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eStaging:\u003c/strong\u003e The malicious policy is staged in a temporary location on the system, often within user-writable directories.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Placement:\u003c/strong\u003e The attacker moves the malicious WDAC policy file (.p7b or .cip) to a protected system directory, such as \u003ccode\u003eC:\\Windows\\System32\\CodeIntegrity\\\u003c/code\u003e or \u003ccode\u003eC:\\Windows\\System32\\CodeIntegrity\\CiPolicies\\Active\\\u003c/code\u003e. The tool used may be a Living-off-the-Land Binary (LOLBin) or a custom .NET assembly.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eActivation:\u003c/strong\u003e The attacker triggers the activation of the new WDAC policy, which often requires a system reboot or the use of a service control utility.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e Once the policy is active, the targeted security products are blocked, allowing the attacker to operate with reduced risk of detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Objectives:\u003c/strong\u003e With defenses weakened, the attacker can move laterally within the network, exfiltrate data, or achieve other objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack targeting WDAC can severely impair an organization\u0026rsquo;s ability to detect and respond to threats. By blocking security software, attackers can operate with impunity, leading to data breaches, financial losses, and reputational damage. Observed damage includes disabled endpoint detection and response (EDR) solutions, allowing ransomware and other malware to execute without interference. The scope of impact can range from individual workstations to entire domains, depending on the breadth of the WDAC policy deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;WDAC Policy File by an Unusual Process\u0026rdquo; Sigma rule to your SIEM to detect unauthorized WDAC policy modifications.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events with extensions .p7b and .cip in \u003ccode\u003eC:\\Windows\\System32\\CodeIntegrity\\\u003c/code\u003e and \u003ccode\u003eC:\\Windows\\System32\\CodeIntegrity\\CiPolicies\\Active\\\u003c/code\u003e directories, specifically filtering for processes other than \u003ccode\u003epoqexec.exe\u003c/code\u003e, \u003ccode\u003eTiWorker.exe\u003c/code\u003e, and \u003ccode\u003eomadmclient.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) logging to capture file creation events and provide the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies on WDAC policy directories to prevent unauthorized modification.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-02T12:00:00Z","date_published":"2024-11-02T12:00:00Z","id":"/briefs/2024-11-wdac-policy-evasion/","summary":"Adversaries may use a specially crafted Windows Defender Application Control (WDAC) policy to restrict the execution of security products, detected by unusual process creation of WDAC policy files.","title":"WDAC Policy File Creation by Unusual Process","url":"https://feed.craftedsignal.io/briefs/2024-11-wdac-policy-evasion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike FDR","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["credential-access","windows","wbadmin","ntds.dit"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies the execution of \u003ccode\u003ewbadmin.exe\u003c/code\u003e with arguments indicative of an attempt to access and dump the NTDS.dit file from a Windows domain controller. Attackers with sufficient privileges, specifically those belonging to groups like Backup Operators, can abuse the legitimate \u003ccode\u003ewbadmin.exe\u003c/code\u003e utility to create a backup of the Active Directory database (NTDS.dit). This file contains sensitive credential information, and once obtained, attackers can extract password hashes and compromise the entire domain. This activity is often part of a larger attack aimed at gaining persistent access and control over the network. The Elastic detection rule was published on 2024-06-05 and last updated on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the target network. This may be achieved through phishing, exploiting vulnerabilities, or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to obtain membership in the Backup Operators group or a similar privileged group capable of running backups.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewbadmin.exe\u003c/code\u003e with the \u003ccode\u003erecovery\u003c/code\u003e argument, targeting the NTDS.dit file. The command line includes parameters to create a system state backup.\u003c/li\u003e\n\u003cli\u003eWbadmin creates a backup of the system state, including the NTDS.dit file, in a specified location.\u003c/li\u003e\n\u003cli\u003eThe attacker copies the NTDS.dit file from the backup location to a separate location for offline analysis.\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools such as \u003ccode\u003entdsutil.exe\u003c/code\u003e or \u003ccode\u003esecretsdump.py\u003c/code\u003e to extract password hashes from the NTDS.dit file.\u003c/li\u003e\n\u003cli\u003eThe attacker cracks the password hashes or uses them in pass-the-hash attacks to gain access to other systems and resources within the domain.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves domain dominance and persistence, allowing them to control critical systems and data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to dump credentials from the NTDS.dit file, leading to complete compromise of the Active Directory domain. This enables them to move laterally, access sensitive data, and establish persistent control over the environment. The impact can include data breaches, ransomware deployment, and long-term disruption of business operations. The medium risk score indicates that while the attack requires specific privileges, the consequences are significant if successful.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to detect \u003ccode\u003ewbadmin.exe\u003c/code\u003e execution as described in the Attack Chain (Data Source: Windows Security Event Logs, Sysmon).\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect suspicious \u003ccode\u003ewbadmin.exe\u003c/code\u003e execution with NTDS.dit related arguments in your SIEM (Rule: NTDS Dump via Wbadmin).\u003c/li\u003e\n\u003cli\u003eMonitor and restrict membership in privileged groups like Backup Operators to minimize the risk of abuse (Reference: \u003ca href=\"https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960)\"\u003ehttps://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate backup schedules or disaster recovery processes to reduce false positives (False positive analysis).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T10:00:00Z","date_published":"2024-07-03T10:00:00Z","id":"/briefs/2024-07-ntds-dump-wbadmin/","summary":"Attackers with Backup Operator privileges may abuse wbadmin.exe to access the NTDS.dit file, enabling credential dumping and domain compromise.","title":"NTDS Dump via Wbadmin","url":"https://feed.craftedsignal.io/briefs/2024-07-ntds-dump-wbadmin/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Endpoint Security","SentinelOne Cloud Funnel","Crowdstrike FDR","Sysmon"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","amsi","registry","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers can disable the Antimalware Scan Interface (AMSI) to evade detection by modifying the \u003ccode\u003eAmsiEnable\u003c/code\u003e registry key. This technique is commonly employed to execute malicious scripts without triggering security warnings or blocks. The AMSI, a Windows feature, allows applications and services to request the scanning of potentially malicious content (e.g., PowerShell scripts, JScript) before execution. By setting the \u003ccode\u003eAmsiEnable\u003c/code\u003e value to 0, an attacker can disable AMSI for the current user, effectively bypassing real-time script scanning. This action is often a precursor to deploying further malicious payloads or establishing persistence on a compromised system. This behavior has been observed since at least 2019 and continues to be a relevant defense evasion technique.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script or binary that attempts to modify the \u003ccode\u003eAmsiEnable\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eThe script or binary uses \u003ccode\u003ereg.exe\u003c/code\u003e, PowerShell, or another tool to set the \u003ccode\u003eAmsiEnable\u003c/code\u003e registry value to 0. The registry key location is typically \u003ccode\u003eHKEY_USERS\\\u0026lt;SID\u0026gt;\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAfter successfully disabling AMSI, the attacker proceeds to execute malicious scripts or code. These scripts may use \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, or \u003ccode\u003ecscript.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious scripts download and execute additional payloads, such as malware or remote access tools (RATs).\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement within the network using the compromised system as a pivot.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish persistence, ensuring continued access to the system even after reboots.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys ransomware to achieve their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the \u003ccode\u003eAmsiEnable\u003c/code\u003e registry key allows attackers to execute malicious scripts without triggering AMSI alerts, leading to potential malware infections, data breaches, and system compromise. Disabling AMSI significantly reduces the effectiveness of endpoint security solutions, making the system more vulnerable to attack. The impact can range from individual workstation compromise to widespread network infections, depending on the attacker\u0026rsquo;s objectives and the organization\u0026rsquo;s security posture.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AmsiEnable Registry Modification via Registry Events\u003c/code\u003e to your SIEM to detect modifications to the \u003ccode\u003eAmsiEnable\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to provide the necessary data for the Sigma rule to function.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for processes modifying registry keys, especially \u003ccode\u003ereg.exe\u003c/code\u003e and PowerShell, using the rule \u003ccode\u003eDetect AmsiEnable Registry Modification via Process Creation\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules promptly to determine if the activity is malicious or legitimate.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted scripts and binaries.\u003c/li\u003e\n\u003cli\u003eHarden systems by restricting user permissions to modify critical registry keys.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-27T18:23:00Z","date_published":"2024-01-27T18:23:00Z","id":"/briefs/2024-01-amsi-registry-disable/","summary":"Adversaries modify the AmsiEnable registry key to 0 to disable Windows Script AMSI scanning, bypassing AMSI protections for Windows Script Host or JScript execution.","title":"AMSI Enable Registry Key Modification for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-amsi-registry-disable/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","CrowdStrike FDR","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows-sandbox","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers may abuse the Windows Sandbox feature to evade detection by running malicious code within the isolated environment. This involves configuring the sandbox with sensitive options such as granting write access to the host file system, enabling network connections, and setting up automatic command execution via logon. By running within the sandbox with these configurations, malware can potentially interact with the host system, while making detection more difficult. This technique is used for defense evasion, hiding artifacts, and executing malicious activities within a virtualized environment to avoid direct exposure on the host. The rule identifies the start of a new container with sensitive configurations like write access to the host file system, network connection and automatic execution via logon command.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through an exploit or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages Windows Sandbox by executing \u003ccode\u003ewsb.exe\u003c/code\u003e or \u003ccode\u003eWindowsSandboxClient.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the sandbox to enable networking using \u003ccode\u003e\u0026lt;Networking\u0026gt;Enable\u0026lt;/Networking\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;NetworkingEnabled\u0026gt;true\u0026lt;/NetworkingEnabled\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker grants the sandbox write access to the host file system using \u003ccode\u003e\u0026lt;HostFolder\u0026gt;C:\\\\\u0026lt;ReadOnly\u0026gt;false\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sets up a logon command to automatically execute malicious code when the sandbox starts using \u003ccode\u003e\u0026lt;LogonCommand\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe sandbox initializes and executes the configured logon command.\u003c/li\u003e\n\u003cli\u003eThe malicious code interacts with the host file system and network, performing actions such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as deploying ransomware or stealing sensitive information, while operating from within the isolated sandbox environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using Windows Sandbox abuse can lead to a range of negative impacts. Attackers may gain unauthorized access to sensitive data, compromise system integrity, or disrupt business operations. The use of the sandbox environment helps to conceal malicious activity, making detection and remediation more challenging. The damage can include data breaches, financial losses, reputational damage, and regulatory penalties. Successful exploitation allows malware to interact with the host system, potentially affecting multiple systems on the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Windows Sandbox with Sensitive Configuration\u0026rdquo; detection rule to your SIEM to identify potential sandbox abuse attempts.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ewsb.exe\u003c/code\u003e and \u003ccode\u003eWindowsSandboxClient.exe\u003c/code\u003e with command-line arguments that enable networking (\u003ccode\u003e\u0026lt;Networking\u0026gt;Enable\u0026lt;/Networking\u0026gt;\u003c/code\u003e, \u003ccode\u003e\u0026lt;NetworkingEnabled\u0026gt;true\u0026lt;/NetworkingEnabled\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ewsb.exe\u003c/code\u003e and \u003ccode\u003eWindowsSandboxClient.exe\u003c/code\u003e with command-line arguments that enable write access to the host file system (\u003ccode\u003e\u0026lt;HostFolder\u0026gt;C:\\\\\u0026lt;ReadOnly\u0026gt;false\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ewsb.exe\u003c/code\u003e and \u003ccode\u003eWindowsSandboxClient.exe\u003c/code\u003e with command-line arguments that define logon commands (\u003ccode\u003e\u0026lt;LogonCommand\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the necessary command-line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-10T12:00:00Z","date_published":"2024-01-10T12:00:00Z","id":"/briefs/2024-01-windows-sandbox-abuse/","summary":"This rule detects the abuse of Windows Sandbox with sensitive configurations to evade detection, where malware may abuse the sandbox feature to gain write access to the host file system, enable network connections, and automatically execute commands via logon, identifying the start of a new container with these sensitive configurations.","title":"Windows Sandbox Abuse with Sensitive Configuration","url":"https://feed.craftedsignal.io/briefs/2024-01-windows-sandbox-abuse/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Subsystem for Linux","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike FDR"],"_cs_severities":["medium"],"_cs_tags":["wsl","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers may leverage the Windows Subsystem for Linux (WSL) to evade detection by operating within a Linux environment on a Windows host. The installation of a new WSL distribution involves specific registry modifications. This rule identifies such modifications, providing an alert when a new WSL distribution is installed. This is important for defenders as it could signal an attacker setting up a persistent and potentially hidden environment for malicious activities. WSL allows attackers to utilize Linux tools and techniques on a Windows system, potentially bypassing traditional Windows-based security measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the Windows system through existing vulnerabilities or compromised credentials.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker elevates their privileges to perform system-level changes, including registry modifications.\u003c/li\u003e\n\u003cli\u003eWSL Installation: The attacker initiates the installation of a WSL distribution. This may involve downloading and executing a WSL installer package.\u003c/li\u003e\n\u003cli\u003eRegistry Modification: During installation, the system modifies the registry to configure and register the new WSL distribution. Specifically, keys under \u003ccode\u003eHKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\\u003c/code\u003e are created/modified.\u003c/li\u003e\n\u003cli\u003eWSL Environment Setup: The attacker configures the installed WSL distribution, potentially installing additional tools and software needed for their objectives.\u003c/li\u003e\n\u003cli\u003eExecution of Malicious Activities: The attacker executes malicious commands and scripts within the WSL environment, leveraging Linux tools to perform actions such as lateral movement, data exfiltration, or persistence.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker utilizes WSL to evade detection, as traditional Windows-based security tools may not effectively monitor or analyze activity within the Linux subsystem.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence within the WSL environment, ensuring continued access to the compromised system even after reboots or security updates.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish a hidden and persistent environment within the compromised Windows system. This can lead to data theft, system compromise, and further propagation of the attack within the network. The number of victims and affected sectors depends on the scope and objectives of the attacker. The use of WSL for malicious purposes can significantly complicate incident response and remediation efforts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect WSL Installation via Registry Modification\u0026rdquo; to your SIEM to detect new WSL installations by monitoring registry changes.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture the necessary data for the Sigma rule to function correctly (see setup instructions in the rule description).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the WSL installation and identify potential malicious activities.\u003c/li\u003e\n\u003cli\u003eMonitor for execution of suspicious processes within WSL environments, as described in \u0026ldquo;Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\u0026rdquo;.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T16:00:00Z","date_published":"2024-01-03T16:00:00Z","id":"/briefs/2024-01-wsl-registry-modification/","summary":"This rule detects registry modifications indicative of a new Windows Subsystem for Linux (WSL) distribution installation, a technique adversaries may leverage to evade detection by utilizing Linux environments within Windows.","title":"Windows Subsystem for Linux Distribution Installed via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-wsl-registry-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike FDR","Elastic Endgame","Elastic Defend"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","amsi-bypass","dll-hijacking","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SentinelOne","CrowdStrike","Elastic"],"content_html":"\u003cp\u003eThe Antimalware Scan Interface (AMSI) is a Windows interface that allows applications and services to integrate with antimalware products. Attackers may attempt to bypass AMSI to execute malicious code without detection. This detection identifies the creation of the AMSI DLL (\u003ccode\u003eamsi.dll\u003c/code\u003e) in unusual locations, which is a common technique used to load a rogue AMSI module instead of the legitimate one. This technique can be used to evade detection by security products that rely on AMSI for scanning potentially malicious scripts and code. The rule is designed to work with data from Winlogbeat, Elastic Endpoint, Sysmon, Endgame, SentinelOne Cloud Funnel, Microsoft Defender XDR, and Crowdstrike.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker determines the location of the legitimate \u003ccode\u003eamsi.dll\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a writable directory where a malicious \u003ccode\u003eamsi.dll\u003c/code\u003e can be placed. This location must be in the search order of applications that use AMSI, such as PowerShell or other scripting hosts.\u003c/li\u003e\n\u003cli\u003eThe attacker copies or creates a malicious \u003ccode\u003eamsi.dll\u003c/code\u003e in the identified location. This rogue DLL is designed to bypass or disable AMSI functionality.\u003c/li\u003e\n\u003cli\u003eA process like PowerShell or another scripting host is launched. Because the malicious \u003ccode\u003eamsi.dll\u003c/code\u003e is in a higher-priority directory, it is loaded instead of the legitimate AMSI library.\u003c/li\u003e\n\u003cli\u003eThe launched process executes malicious code (e.g., PowerShell script).\u003c/li\u003e\n\u003cli\u003eBecause the rogue \u003ccode\u003eamsi.dll\u003c/code\u003e is loaded, AMSI scans are bypassed, allowing the malicious code to execute without detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful AMSI bypass can allow attackers to execute malicious code, such as malware, scripts, or exploits, without detection by antimalware products. This can lead to system compromise, data theft, or other malicious activities. The impact can range from a single compromised endpoint to a wider breach of an organization\u0026rsquo;s network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable file creation monitoring with Sysmon or Elastic Defend to detect the creation of files, specifically DLLs, in unusual locations.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Antimalware Scan Interface DLL Creation\u0026rdquo; to your SIEM to detect the creation of \u003ccode\u003eamsi.dll\u003c/code\u003e in non-standard paths. Tune the rule for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the parent process, file path, and user context to determine if the activity is malicious.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-amsi-dll-hijack/","summary":"An adversary may attempt to bypass AMSI by creating a rogue AMSI DLL in an unusual location to evade detection.","title":"Suspicious Antimalware Scan Interface DLL Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-amsi-dll-hijack/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Citrix System32","MSACCESS.EXE","GTInstaller","Elastic Defend","SentinelOne Cloud Funnel","Microsoft Defender XDR","Crowdstrike FDR","Elastic Endgame"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","script-execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Citrix","Quokka.Works","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies the execution of scripts via HTML applications, leveraging Windows utilities like \u003ccode\u003erundll32.exe\u003c/code\u003e or \u003ccode\u003emshta.exe\u003c/code\u003e. Attackers often use this method to bypass process and signature-based defenses by proxying the execution of malicious content through legitimate, signed binaries. The detection focuses on specific command-line arguments and patterns associated with this technique, while also excluding known legitimate uses by applications such as Citrix System32 (\u003ccode\u003ewfshell.exe\u003c/code\u003e), Microsoft Access (\u003ccode\u003eMSACCESS.EXE\u003c/code\u003e), and Quokka.Works (\u003ccode\u003eGTInstaller.exe\u003c/code\u003e). This technique is used by attackers to execute malicious scripts without directly running them, thus evading traditional security measures. The detection rule analyzes process names, command-line arguments, parent processes, and file paths to identify potentially malicious activity indicative of defense evasion.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access through various means (e.g., phishing, drive-by download).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a malicious HTML application (HTA) file or a scriptlet (SCT) file.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003emshta.exe\u003c/code\u003e or \u003ccode\u003erundll32.exe\u003c/code\u003e to execute the malicious HTA or SCT file. The command line includes obfuscated or encoded script content.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emshta.exe\u003c/code\u003e or \u003ccode\u003erundll32.exe\u003c/code\u003e process spawns a child process, such as \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e, to execute further commands.\u003c/li\u003e\n\u003cli\u003eThe spawned process executes malicious code, such as downloading and executing a payload.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence by modifying registry keys or creating scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement by exploiting vulnerabilities or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe final objective is achieved, such as data exfiltration, ransomware deployment, or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to compromise the system, steal sensitive data, deploy ransomware, or establish a persistent foothold. Due to the nature of the technique, it can bypass many traditional security measures. The wide adoption of Windows and the inherent trust placed in signed binaries makes this a potent evasion technique. Failure to detect and prevent this attack can lead to significant financial and reputational damage for the targeted organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Script Execution via Microsoft HTML Application\u0026rdquo; to your SIEM to detect suspicious \u003ccode\u003emshta.exe\u003c/code\u003e and \u003ccode\u003erundll32.exe\u003c/code\u003e executions. Tune the rule by adding exceptions for known legitimate uses in your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to ensure the visibility required for the Sigma rules to function correctly.\u003c/li\u003e\n\u003cli\u003eMonitor process command lines for suspicious arguments like \u0026ldquo;script:eval\u0026rdquo;, \u0026ldquo;WScript.Shell\u0026rdquo;, and \u0026ldquo;mshta http\u0026rdquo; which are indicative of this technique.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of \u003ccode\u003emshta.exe\u003c/code\u003e and \u003ccode\u003erundll32.exe\u003c/code\u003e where they are not required for legitimate business purposes.\u003c/li\u003e\n\u003cli\u003eInvestigate and block any identified malicious HTA files or scriptlet URLs found in the command lines of detected processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-script-execution-via-html-app/","summary":"Detects the execution of scripts via HTML applications using Windows utilities rundll32.exe or mshta.exe to bypass defenses by proxying execution of malicious content with signed binaries.","title":"Script Execution via Microsoft HTML Application","url":"https://feed.craftedsignal.io/briefs/2024-01-script-execution-via-html-app/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike FDR","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","lateral-movement","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe legacy Windows AT command allows scheduling tasks for execution. While deprecated since Windows 8 and Windows Server 2012, it remains present for backwards compatibility. Attackers may enable the AT command through registry modifications to achieve persistence or lateral movement within a network. This technique bypasses modern security controls and can be difficult to detect without specific monitoring. The detection rule monitors registry changes enabling this command, flagging potential misuse by checking specific registry paths and values indicative of enabling the AT command. The use of this command allows an attacker to execute commands with elevated privileges, potentially compromising the entire system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to enable the AT command by modifying the registry.\u003c/li\u003e\n\u003cli\u003eThe registry key \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt\u003c/code\u003e is modified to a value of \u0026ldquo;1\u0026rdquo; or \u0026ldquo;0x00000001\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AT command to schedule a malicious task.\u003c/li\u003e\n\u003cli\u003eThe scheduled task executes a command or script, such as downloading and executing malware.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system as a pivot point for lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eEnabling the AT command can lead to unauthorized task scheduling, malware execution, persistence, and lateral movement within a network. Successful exploitation can compromise sensitive data, disrupt operations, and grant attackers persistent access to critical systems. The use of a deprecated command makes it harder to detect, increasing the impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor registry events for modifications to \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt\u003c/code\u003e as described in the rule overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Scheduled Tasks AT Command Enabled\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation and registry event logging to activate the rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule \u0026ldquo;Scheduled Tasks AT Command Enabled\u0026rdquo; for suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-at-command-enabled/","summary":"Attackers may enable the deprecated Windows AT command via registry modification to achieve local persistence or lateral movement.","title":"Windows Scheduled Tasks AT Command Enabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-at-command-enabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","CrowdStrike FDR","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["persistence","defense-evasion","registry-modification","ssp"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers can abuse the Windows Security Support Provider (SSP) mechanism to establish persistence on a compromised system. SSPs are DLLs loaded into the Local Security Authority Subsystem Service (LSASS) process, which handles authentication in Windows. By modifying specific registry keys related to SSP configuration, attackers can force LSASS to load malicious DLLs at startup, effectively creating a persistent backdoor. This technique is often used to maintain unauthorized access to a system even after a reboot. The registry keys of interest are \u003ccode\u003eHKLM\\SYSTEM\\*\\ControlSet*\\Control\\Lsa\\Security Packages\u003c/code\u003e and \u003ccode\u003eHKLM\\SYSTEM\\*\\ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages\u003c/code\u003e. Successful exploitation allows the attacker to intercept and manipulate authentication credentials.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through an exploit or compromised credentials (not detailed in source).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain administrative rights on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry key \u003ccode\u003eHKLM\\SYSTEM\\*\\ControlSet*\\Control\\Lsa\\Security Packages\u003c/code\u003e to include a path to a malicious DLL.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker modifies the registry key \u003ccode\u003eHKLM\\SYSTEM\\*\\ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages\u003c/code\u003e to include a path to a malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a system reboot, or restarts the LSASS process, causing the malicious SSP DLL to be loaded.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL intercepts authentication credentials and exfiltrates them or performs other malicious actions.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the system, even after reboots.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to achieve persistence and potentially compromise sensitive credentials handled by LSASS. This can lead to lateral movement within the network, data exfiltration, and further system compromise. The impact is significant as it bypasses standard security measures and provides a persistent foothold for malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious SSP Registry Modification\u0026rdquo; to your SIEM to detect unauthorized modifications to SSP registry keys.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to provide the necessary data for the Sigma rule to function.\u003c/li\u003e\n\u003cli\u003eContinuously monitor for unexpected processes writing to the \u003ccode\u003eHKLM\\SYSTEM\\*\\ControlSet*\\Control\\Lsa\\Security Packages\u003c/code\u003e and \u003ccode\u003eHKLM\\SYSTEM\\*\\ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages\u003c/code\u003e registry keys.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate software installers that frequently modify these registry entries to reduce false positives as mentioned in the brief.\u003c/li\u003e\n\u003cli\u003eEnsure access controls and permissions are strictly enforced to limit unauthorized modification of critical registry paths related to Security Support Providers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-ssp-registry-modification/","summary":"Adversaries may modify the Windows Security Support Provider (SSP) configuration in the registry to establish persistence or evade defenses.","title":"Suspicious Modifications to Windows Security Support Provider (SSP) Registry","url":"https://feed.craftedsignal.io/briefs/2024-01-ssp-registry-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Windows","Microsoft Defender XDR","Commvault","Nvidia Display Driver","Elastic Defend","SentinelOne Cloud Funnel","CrowdStrike FDR"],"_cs_severities":["medium"],"_cs_tags":["persistence","defense-evasion","appinit-dlls","registry","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Commvault","Nvidia","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe AppInit DLLs mechanism allows dynamic-link libraries (DLLs) to be loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. This mechanism is intended for customization of the user interface and behavior of Windows-based applications. However, attackers can abuse this by adding malicious DLLs to the registry locations associated with AppInit DLLs. This enables them to execute code with elevated privileges, similar to process injection, and maintain a persistent presence on the compromised machine. This technique is often used to maintain access after initial compromise. Detection focuses on registry modifications to the relevant keys, excluding known legitimate processes to minimize false positives. The referenced Elastic rule was last updated on 2026/05/04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through a vulnerability, phishing, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the AppInit DLLs registry keys: \u003ccode\u003eHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\u003c/code\u003e or \u003ccode\u003eHKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eAppInit_DLLs\u003c/code\u003e registry value to include the path to their malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s DLL is placed on the filesystem, typically in a location where it will persist across reboots.\u003c/li\u003e\n\u003cli\u003eAny new process that loads user32.dll will automatically load the attacker\u0026rsquo;s malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes arbitrary code within the context of the newly created process.\u003c/li\u003e\n\u003cli\u003eThe attacker can use this code execution to perform further actions, such as installing backdoors or escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the system through the malicious DLL loaded into every user interface process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code within the context of any process that loads \u003ccode\u003euser32.dll\u003c/code\u003e. This provides a persistent mechanism for maintaining access to the compromised system. The attacker gains code execution with elevated privileges, similar to process injection. This can lead to data theft, system compromise, or further lateral movement within the network. While no specific victim counts are mentioned, the widespread use of Windows makes this a potentially high-impact vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor registry modifications to the \u003ccode\u003eAppInit_DLLs\u003c/code\u003e value in \u003ccode\u003eHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\u003c/code\u003e and \u003ccode\u003eHKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\u003c/code\u003e using the \u0026ldquo;Registry Persistence via AppInit DLL Modification\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to provide the data required for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Registry Persistence via AppInit DLL Modification\u0026rdquo; Sigma rule to your SIEM and tune the filter to exclude known-good DLL paths in your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the parent process and the DLL being loaded.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-appinit-dll-persistence/","summary":"Modification of the AppInit DLLs registry keys on Windows systems allows attackers to execute code in every process that loads user32.dll, establishing persistence and potentially escalating privileges.","title":"Registry Persistence via AppInit DLL Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-appinit-dll-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","CrowdStrike FDR","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["execution","defense-evasion","dll-hijacking"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eThis detection identifies potential abuse of the Windows Side-by-Side (SxS) feature to execute malicious code. Attackers can place a malicious DLL file within an application\u0026rsquo;s local SxS folder (application.exe.local) and trick the Windows module loader into prioritizing it over legitimate system DLLs. This technique, known as DLL hijacking or DLL redirection, allows adversaries to gain arbitrary code execution within the context of the targeted application. This technique may be used to bypass security controls, escalate privileges, or establish persistence. The detection focuses on file events related to DLLs within these specific SxS folders.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a legitimate application with an associated SxS folder (application.exe.local).\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a malicious DLL file.\u003c/li\u003e\n\u003cli\u003eThe attacker places the malicious DLL file in the application\u0026rsquo;s SxS folder (application.exe.local).\u003c/li\u003e\n\u003cli\u003eA legitimate application attempts to load a DLL.\u003c/li\u003e\n\u003cli\u003eDue to the presence of the malicious DLL in the SxS folder, the Windows module loader prioritizes the attacker\u0026rsquo;s DLL.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL is loaded and executed by the application.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution within the context of the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution within the targeted application\u0026rsquo;s context. This can result in privilege escalation, data theft, system compromise, or the establishment of persistence mechanisms. While the number of directly affected organizations is unknown, this technique can be used against a wide range of applications on Windows systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor file creation events for DLL files in \u003ccode\u003eC:\\*\\*.exe.local\\*.dll\u003c/code\u003e and \u003ccode\u003e\\\\Device\\\\HarddiskVolume*\\\\*\\\\*.exe.local\\\\*.dll\u003c/code\u003e using the provided Sigma rule to detect potential malicious DLL planting.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) to improve visibility into file creation events, as noted in the \u003ca href=\"https://ela.st/sysmon-event-11-setup\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the DLL creation event and the involved application.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-local-sxs-dll-execution/","summary":"This rule detects the creation, modification, or deletion of DLL files within Windows SxS local folders, which could indicate an attempt to execute malicious payloads by abusing shared module loading.","title":"Execution via Local SxS Shared Module","url":"https://feed.craftedsignal.io/briefs/2024-01-03-local-sxs-dll-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike FDR"],"_cs_severities":["medium"],"_cs_tags":["persistence","defense-evasion","registry","ifeo","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eImage File Execution Options (IFEO) injection is a Windows feature that allows developers to debug applications by specifying an alternative executable to run. Attackers abuse this feature by modifying the Debugger and SilentProcessExit registry keys, setting a debugger to execute malicious code instead of the intended application. This technique is used to establish persistence or evade defenses. The attack involves modifying registry keys under \u003ccode\u003eHKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\u003c/code\u003e, \u003ccode\u003eHKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\u003c/code\u003e, \u003ccode\u003eHKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\u003c/code\u003e, and \u003ccode\u003eHKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\u003c/code\u003e. This matters to defenders because successful IFEO injection can allow attackers to maintain persistent access to a system and execute malicious code without detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through unspecified means (e.g., exploiting a vulnerability or using stolen credentials).\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to gain administrative access, allowing modification of sensitive registry keys.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry, specifically the \u003ccode\u003eDebugger\u003c/code\u003e or \u003ccode\u003eMonitorProcess\u003c/code\u003e values within the IFEO or SilentProcessExit keys for a target executable (e.g., \u003ccode\u003enotepad.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDebugger\u003c/code\u003e or \u003ccode\u003eMonitorProcess\u003c/code\u003e value is set to point to a malicious executable.\u003c/li\u003e\n\u003cli\u003eWhen the target executable is launched by a user or system process, the malicious executable is launched instead.\u003c/li\u003e\n\u003cli\u003eThe malicious executable performs its intended actions, such as installing malware, stealing credentials, or establishing a reverse shell.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence through the IFEO injection, as the malicious executable will continue to be launched whenever the target executable is run.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful IFEO injection can allow attackers to maintain persistent access to a system, execute malicious code without detection, and potentially compromise sensitive data. IFEO injection can lead to a full compromise of the affected system, potentially impacting all users and applications on the system. This technique is often used in conjunction with other attack methods to achieve broader objectives, such as data exfiltration or ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Windows Registry auditing to monitor changes to the IFEO and SilentProcessExit registry keys, enabling detection of unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect suspicious registry modifications related to IFEO injection.\u003c/li\u003e\n\u003cli\u003eReview and update the exceptions list in the Sigma rules to account for legitimate uses of the Debugger and MonitorProcess registry keys, reducing false positives.\u003c/li\u003e\n\u003cli\u003eMonitor process execution and correlate with registry modifications to identify potentially malicious processes launched via IFEO injection.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for registry changes related to IFEO to detect and respond to similar threats in the future.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-ifeo-injection/","summary":"Attackers can establish persistence and evade defenses by modifying the Debugger and SilentProcessExit registry keys to perform Image File Execution Options (IFEO) injection, allowing them to intercept file executions and run malicious code.","title":"Image File Execution Options (IFEO) Injection for Persistence and Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-ifeo-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike FDR"],"_cs_severities":["medium"],"_cs_tags":["persistence","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003ePowerShell profiles are scripts that run when PowerShell starts, customizing the user\u0026rsquo;s environment. Attackers can abuse this feature to gain persistence by modifying these profiles to execute malicious code each time a user launches PowerShell. The modification of PowerShell profiles allows the attacker to run arbitrary commands without requiring user interaction or explicit execution of malicious scripts. The targeted profile file names include \u003ccode\u003eprofile.ps1\u003c/code\u003e and \u003ccode\u003eMicrosoft.Powershell_profile.ps1\u003c/code\u003e, and the attack affects Windows systems where PowerShell is commonly used.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the location of PowerShell profile scripts, typically found in \u003ccode\u003eC:\\Users\\\u0026lt;Username\u0026gt;\\Documents\\WindowsPowerShell\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies an existing PowerShell profile (e.g., \u003ccode\u003eprofile.ps1\u003c/code\u003e) or creates a new one if it doesn\u0026rsquo;t exist.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into the PowerShell profile. This code could download and execute additional payloads, establish a reverse shell, or perform other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker ensures the malicious code runs when PowerShell is launched by modifying the profile content.\u003c/li\u003e\n\u003cli\u003eWhen a user opens PowerShell, the profile script executes automatically, running the injected malicious code.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs its intended actions, such as establishing persistence by creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to compromised systems. This persistence can be used to perform various malicious activities, including data theft, lateral movement, and deployment of ransomware. The severity is medium as it requires local access or prior compromise, but can lead to significant impact if successful.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Profile Modification\u0026rdquo; to detect unauthorized changes to PowerShell profile scripts.\u003c/li\u003e\n\u003cli\u003eMonitor file creation and modification events in the \u003ccode\u003eC:\\Users\\*\\Documents\\WindowsPowerShell\\\u003c/code\u003e and \u003ccode\u003eC:\\Windows\\System32\\WindowsPowerShell\\\u003c/code\u003e directories for suspicious activity.\u003c/li\u003e\n\u003cli\u003eEnable PowerShell script block logging and transcription to gain visibility into the contents of PowerShell scripts being executed.\u003c/li\u003e\n\u003cli\u003eRestrict PowerShell usage to authorized personnel via Group Policy or other application control mechanisms.\u003c/li\u003e\n\u003cli\u003eRegularly audit PowerShell profiles for suspicious or unexpected code.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T18:17:05Z","date_published":"2024-01-02T18:17:05Z","id":"/briefs/2024-01-powershell-profile-persistence/","summary":"Attackers can modify PowerShell profiles to inject malicious code that executes each time PowerShell starts, establishing persistence on a Windows system.","title":"Persistence via PowerShell Profile Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-profile-persistence/"}],"language":"en","title":"CraftedSignal Threat Feed — CrowdStrike FDR","version":"https://jsonfeed.org/version/1.1"}